func TestAuthSign(t *testing.T) {
conf, err := config.LoadConfig([]byte(validAuthLocalConfig))
if err != nil {
t.Fatal(err)
}
for i, test := range signTests {
resp, body := testAuthSignFile(t, test.Hosts, test.Subject, test.CSRFile, conf.Signing.Default)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
// helper functions
func newConfig(t *testing.T, configBytes []byte) *config.Config {
conf, err := config.LoadConfig([]byte(configBytes))
if err != nil {
t.Fatal("config loading error:", err)
}
if !conf.Valid() {
t.Fatal("config is not valid")
}
return conf
}
func TestNewAuthHandlerWithNonAuthProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err == nil {
t.Fatal("No profile have auth keys. Should have failed to create auth sign handler.")
}
}
func TestNewHandlerWithProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
}
func TestNewAuthHandlerWithNoAuthConfig(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err == nil {
t.Fatal("Config doesn't have auth keys. Should have failed.")
}
return
}
func newTestAuthHandler(t *testing.T) http.Handler {
conf, err := config.LoadConfig([]byte(validAuthLocalConfig))
if err != nil {
t.Fatal(err)
}
h, err := NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
return h
}
func TestNewHandlersWithAnotherMixedProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(alsoValidMixedLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create non-auth sign handler.")
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create auth sign handler.")
}
}
func TestSignerDBPersistence(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfigLongerExpiry))
if err != nil {
t.Fatal(err)
}
var s *local.Signer
s, err = local.NewSignerFromFile(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
if err != nil {
t.Fatal(err)
}
dbAccessor = sql.NewAccessor(db)
s.SetDBAccessor(dbAccessor)
var handler *api.HTTPHandler
handler, err = NewHandlerFromSigner(signer.Signer(s))
if err != nil {
t.Fatal(err)
}
ts := httptest.NewServer(handler)
defer ts.Close()
var csrPEM, body []byte
csrPEM, err = ioutil.ReadFile(testCSRFile)
if err != nil {
t.Fatal(err)
}
blob, err := json.Marshal(&map[string]string{"certificate_request": string(csrPEM)})
if err != nil {
t.Fatal(err)
}
var resp *http.Response
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status, string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
if !message.Success {
t.Fatal("API operation failed")
}
crs, err := dbAccessor.GetUnexpiredCertificates()
if err != nil {
t.Fatal("Failed to get unexpired certificates")
}
if len(crs) != 1 {
t.Fatal("Expected 1 unexpired certificate in the database after signing 1: len(crs)=", len(crs))
}
}
// NewCertificateAuthorityImpl creates a CA instance that can sign certificates
// from a single issuer (the first first in the issers slice), and can sign OCSP
// for any of the issuer certificates provided.
func NewCertificateAuthorityImpl(
config cmd.CAConfig,
clk clock.Clock,
stats statsd.Statter,
issuers []Issuer,
keyPolicy core.KeyPolicy,
) (*CertificateAuthorityImpl, error) {
var ca *CertificateAuthorityImpl
var err error
logger := blog.Get()
if config.SerialPrefix <= 0 || config.SerialPrefix >= 256 {
err = errors.New("Must have a positive non-zero serial prefix less than 256 for CA.")
return nil, err
}
// CFSSL requires processing JSON configs through its own LoadConfig, so we
// serialize and then deserialize.
cfsslJSON, err := json.Marshal(config.CFSSL)
if err != nil {
return nil, err
}
cfsslConfigObj, err := cfsslConfig.LoadConfig(cfsslJSON)
if err != nil {
return nil, err
}
if config.LifespanOCSP.Duration == 0 {
return nil, errors.New("Config must specify an OCSP lifespan period.")
}
internalIssuers, err := makeInternalIssuers(
issuers,
cfsslConfigObj.Signing,
config.LifespanOCSP.Duration)
if err != nil {
return nil, err
}
defaultIssuer := internalIssuers[issuers[0].Cert.Subject.CommonName]
rsaProfile := config.RSAProfile
ecdsaProfile := config.ECDSAProfile
if rsaProfile == "" || ecdsaProfile == "" {
return nil, errors.New("must specify rsaProfile and ecdsaProfile")
}
ca = &CertificateAuthorityImpl{
issuers: internalIssuers,
defaultIssuer: defaultIssuer,
rsaProfile: rsaProfile,
ecdsaProfile: ecdsaProfile,
prefix: config.SerialPrefix,
clk: clk,
log: logger,
stats: stats,
keyPolicy: keyPolicy,
forceCNFromSAN: !config.DoNotForceCN, // Note the inversion here
enableMustStaple: config.EnableMustStaple,
}
if config.Expiry == "" {
return nil, errors.New("Config must specify an expiry period.")
}
ca.validityPeriod, err = time.ParseDuration(config.Expiry)
if err != nil {
return nil, err
}
ca.maxNames = config.MaxNames
return ca, nil
}
